Anyone Can Look Inside!

Working with OSS today can be a great advantage

More and more companies are benefiting from the use of Open Source Software. Security can be significantly enhanced when codes are presented publicly. Besides, collaboration and transparency stand out among the values of many organizations working with open source methodology.

A few days ago,
we had mentioned the recent increase
in the use of Open Source Software (OSS)
by development teams to support or shape their applications.
As shared by Oram & Bhorat,
"every business and government involved with digital transformation
or with building services in the cloud
is consuming open source software
because it’s good for business and for their mission."

Open source projects have been launched
or used and maintained by large and well-known business groups
such as Google, Facebook, Amazon, Huawei,
and MasterCard, to mention a few.
The production of many of these companies has accelerated
thanks to the use of the open source.
Open source products like Firefox, Linux, and WordPress
are now quite successful in the consumer area.

But what exactly is OSS?

OSS definition and origin

When we talk about 'open source,'
we mean the free availability of the software involved.
We assume that anyone can freely access,
copy, share, and modify the OSS,
including every line of its source code.
The source code, which constitutes the software
and to which many users do not pay attention,
is what programmers or developers manipulate
to generate changes in the way the software works.
Unlike OSS, we have 'proprietary software' or 'closed source software,'
which doesn’t have its full source code available to the public.
Its modification or redistribution may be prohibited or highly restricted.

The free software movement began in the eighties
through Richard Stallman, a programmer at MIT.
It emerged as a response to the limitations (for example, in cooperation)
generated by proprietary software.
As shared in Statskontoret,
Stallman took the cooking as an example and raised questions like:
"How would we experience the world around us
if recipes were not freely available or free to change and modify?"
The fact is that some have been interested in just sharing their final dishes
and keeping their recipes secret.

Now it’s important to get something straight,
based on a post by Kelly & Van De Mark:
'free and open source software'
doesn’t necessarily mean that the software is free of price.
This is an allusion to the freedom of use of the software and the code.
However, "most free open source software is indeed free in price."
Therefore, it is often requested that
the copyright be attributed to the creator(s) and that
OSS quality be preserved when distributed.

In fact, many organizations have achieved success
selling consulting, support, and training services
related to the use of their OSS.
Some companies have chosen to sell exemptions to the terms of their licenses.
In other cases, some products
recommend other complementary products or services.
Other times, OSS creators rely only on donations.

OSS licenses and security

On the legal side,
licenses are not only provided for proprietary software;
they also apply to OSS.
The rights to examine, copy, alter, and distribute
are stipulated in those licenses.
Licenses determine the ways in which individuals inspect,
modify, and distribute software and its code.
For example, 'copyleft' licenses stipulate that
if someone releases a modified open source program,
he must also deliver the corresponding source code.
That is, the terms of distribution or other requirements
for all copies or alterations of all versions must be maintained.
On the other hand, as Moffatt says:
"If a program is free but not copylefted,
some copies or modified versions may not be free at all."

On the security side,
we must be clear that vulnerabilities and gaps are present
in both open and closed source software.
According to a post by Maryna & Vlad,
regarding security, many times when we pay for software,
we are left only with the confidence in the seller.
However, when we have many eyes watching an OSS and the code,
flaws, bugs, errors, or omissions in the program
can be more easily detected and quickly fixed.
Furthermore, the security of some companies using open source,
without teams of cybersecurity experts or at least support communities,
may be at risk from malicious hackers who can take advantage of it.

OSS in business strategies

Many organizations, regardless of their size and field of action,
are recommended to include OSS in their strategies.
For a company using OSS,
an online community discussing its software can be a huge benefit.
As Bromhead pointed out:
"The output tends to be extremely robust, tried, and tested code."
Besides, organizations that make good use of open source
will be able to discover work dynamics
that are more oriented towards collaboration, creativity, and innovation.

Collaboration is helping each other to move a project forward.
Blogs and forums serve as a means to share and exchange knowledge or ideas.
In addition to the fact
that codes and products are continually being reviewed and optimized,
each participant and collaborator
can also receive constructive criticism and feedback.
Customizations made by sometimes thousands of hands on the job
can lead to improvements,
either by adding features or repairing others.
Also, new apps can be developed that are more efficient, more complex,
and better suited to specific needs and preferences.
Additionally, the practices and results of top coders
in one field or another become, through open source,
valuable sources of learning and skill enhancement
for new or experienced developers.

As far as creativity and innovation are concerned:
we must not reinvent what others have already invented.
What already exists is used to give rise to the new.
As Whitehurst suggests, "innovation occurs
only when people feel a certain freedom
to manipulate, experiment, and tinker."
Creative youth can be easily attracted through a business model
that is separate from the traditional.
"This culture is strikingly different from the secretive, hierarchical,
management-driven cultures of most companies today" (Oram & Bhorat).
Great talents can then become part of a company they worked with on an OSS
and contribute to other projects.

The accessibility of the code is a valuable strategy
to avoid giving the impression that something is being hidden.
Then the concept of transparency appears,
being a fundamental principle in open source.
The one that Bryant Son, from Red Hat,
recently pointed out as "critical to making any project successful."
Transparency involves sharing as much information as possible
with the members of the company and all users and collaborators.
Being able to report problems, errors, and methods of solution
is a primary characteristic of a transparent community,
united in favor of security and technological and social advancement.

Following DB Hurley, transparency is not just
about allowing access to code, products, and services.
"It is a commitment to total clarity,
in business practice, structure, finance, and design."
A transparent company does not give the impression
that there is some mystery behind what the code is doing.
It achieves greater trust from customers and communities,
exemplifying an immaculate business practice.

The code created and used by Fluid Attacks is public,
and we believe that strengthens us and reflects transparency.
In the words of Rafael Alvarez, our CTO:
"Public repositories are a bet on transparency
that all actors should make in the long term."
Take a look at our repositories following this link:
gitlab.com/fluidattacks

Do you have any questions or ideas to share?
Don’t forget to contact us!